Bug 169857 (php-safemode-wontfix, safemode, safe_mode)
| Summary: | php open_basedir / safe mode bypass | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||
| Component: | vulnerability | Assignee: | Joe Orton <jorton> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | David Lawrence <dkl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | jlieskov, jorton, kseifried, mjc, thoger, vdanen | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323585 | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-10-12 12:21:46 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Josh Bressers
2005-10-04 14:32:53 UTC
The PHP "safe mode" and "open_basedir" configuration options are intended to prevent an interpreted script from executing arbitrary system commands or opening arbitrary files on the system. But the PHP interpreter does not offer a "sandboxed" security layer (as found in, say, a JVM) with which to reliably implement these features, so they cannot be relied upon as a security feature. Any bug in PHP (or any extension) which allows a script to corrupt memory or cause the interpreter to crash may allow the script to bypass safe mode or open_basedir. Similarly, any feature of a bundled (or third-party) extension which allows the script to open arbitrary files, or execute arbitrary commands, may allow the script to bypass safe mode or open_basedir. For these reasons, bugs in the "safe mode" and "open_basedir" options, or any bugs in the PHP interpreter or extensions which allow scripts to bypass these options, will not be treated as security-sensitive. See also http://www.php.net/security-note.php for the similar position taken by the PHP project. *** Bug 172204 has been marked as a duplicate of this bug. *** This bug will be used as a meta-bug for tracking PHP "safe"-mode/open_basedir issues, which will in general not be fixed in updates for Red Hat Enterprise Linux of the PHP package. *** Bug 205003 has been marked as a duplicate of this bug. *** *** Bug 206276 has been marked as a duplicate of this bug. *** *** Bug 240155 has been marked as a duplicate of this bug. *** *** Bug 278001 has been marked as a duplicate of this bug. *** *** Bug 277971 has been marked as a duplicate of this bug. *** *** Bug 277991 has been marked as a duplicate of this bug. *** *** Bug 278071 has been marked as a duplicate of this bug. *** *** Bug 287971 has been marked as a duplicate of this bug. *** *** Bug 290591 has been marked as a duplicate of this bug. *** Safe mode feature was removed upstream for the upcoming PHP 6 release: http://www.php.net/manual/en/features.safe-mode.php Warning: Safe Mode was removed in PHP 6.0.0. *** Bug 452206 has been marked as a duplicate of this bug. *** *** Bug 452207 has been marked as a duplicate of this bug. *** *** Bug 436541 has been marked as a duplicate of this bug. *** *** Bug 476985 has been marked as a duplicate of this bug. *** *** Bug 476986 has been marked as a duplicate of this bug. *** *** Bug 459569 has been marked as a duplicate of this bug. *** *** Bug 539529 has been marked as a duplicate of this bug. *** Mitre's CVE-2009-3557 entry: --------------------------- The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557 http://www.openwall.com/lists/oss-security/2009/11/20/2 http://www.openwall.com/lists/oss-security/2009/11/20/3 http://www.openwall.com/lists/oss-security/2009/11/20/5 http://news.php.net/php.announce/79 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log http://svn.php.net/viewvc?view=revision&revision=288945 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php http://secunia.com/advisories/37412 http://securityreason.com/securityalert/6601 Mitre's CVE-2009-3558 entry: ---------------------------- The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558 http://www.openwall.com/lists/oss-security/2009/11/20/2 http://www.openwall.com/lists/oss-security/2009/11/20/3 http://www.openwall.com/lists/oss-security/2009/11/20/5 http://news.php.net/php.announce/79 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/posix/posix.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/posix/posix.c?view=log http://svn.php.net/viewvc?view=revision&revision=288943 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php http://secunia.com/advisories/37412 http://securityreason.com/securityalert/6600 *** Bug 541239 has been marked as a duplicate of this bug. *** *** Bug 548532 has been marked as a duplicate of this bug. *** *** Bug 577578 has been marked as a duplicate of this bug. *** *** Bug 617578 has been marked as a duplicate of this bug. *** *** Bug 601897 has been marked as a duplicate of this bug. *** *** Bug 598562 has been marked as a duplicate of this bug. *** *** Bug 617211 has been marked as a duplicate of this bug. *** *** Bug 618359 has been marked as a duplicate of this bug. *** *** Bug 618366 has been marked as a duplicate of this bug. *** *** Bug 618579 has been marked as a duplicate of this bug. *** *** Bug 617180 has been marked as a duplicate of this bug. *** *** Bug 618785 has been marked as a duplicate of this bug. *** *** Bug 601901 has been marked as a duplicate of this bug. *** *** Bug 619324 has been marked as a duplicate of this bug. *** *** Bug 651204 has been marked as a duplicate of this bug. *** *** Bug 656917 has been marked as a duplicate of this bug. *** *** Bug 662707 has been marked as a duplicate of this bug. *** *** Bug 670792 has been marked as a duplicate of this bug. *** *** Bug 683183 has been marked as a duplicate of this bug. *** *** Bug 718253 has been marked as a duplicate of this bug. *** *** Bug 802591 has been marked as a duplicate of this bug. *** *** Bug 802591 has been marked as a duplicate of this bug. *** *** Bug 783609 has been marked as a duplicate of this bug. *** *** Bug 841972 has been marked as a duplicate of this bug. *** Created attachment 599581 [details] CVE-2012-3365-test.patch Use this patch for fix this issue, I have used this patch file on my PHP 5.2.17 and got this from http://git.php.net/?p=php-src.git;a=commit;h=055ecbc62878e86287d742c7246c21606cee8183 *** Bug 918196 has been marked as a duplicate of this bug. *** (In reply to Tomas Hoger from comment #13) > Safe mode feature was removed upstream for the upcoming PHP 6 release: > > http://www.php.net/manual/en/features.safe-mode.php > > Warning: Safe Mode was removed in PHP 6.0.0. Upstream versioning plans apparently changed since the comment 13 was made. Safe mode was deprecated in 5.3.0 and removed in 5.4.0. |